Downgrade from Panorama 8.0

Save a backup of the Panorama and managed devices configuration files.
Export Panorama and device configuration snapshot
(
Panorama
Setup
Operations
).
Save the exported .tgz file to a location external to Panorama, Log Collectors, or firewalls. You can use this backup to restore the configuration if you experience problems that cause you to start over.
(
Panorama and Log Collectors running Panorama 8.0 or 8.0.1 only
) Upgrade Panorama and Log Collectors to Panorama 8.0.2 or later release.
Panorama 8.0 introduced a new log format that previous releases do not support. However, the ability to migrate the log format was introduced in Panorama 8.0.2. As a result, you will first need to upgrade the software to Panorama 8.0.2 from an 8.0 or 8.0.1 release before migrating the log format and software to Panorama 7.1.
Use the following procedures to upgrade Panorama and Log Collectors to Panorama 8.0.2 or later release as needed:
Install content and then software updates forPanorama.
Deploy content and then software updates to LogCollectors.
Save a backup of the Panorama and managed devices configuration files.
Export Panorama and device configuration snapshot
(
Panorama
Setup
Operations
).
Save the exported .tgz file to a location external to Panorama, Log Collectors, or firewalls. You can use this backup to restore the configuration if you experience problems that cause you to start over.
Downgrade each firewall running a PAN-OS 8.0 release.
If downgrading more than one firewall, streamline the process by having each firewall-specific PAN-OS 7.1 image downloaded to Panorama before you start downgrading. For example, to downgrade your PA-200, PA-3050, and PA-5060 firewalls to PAN-OS 7.1, download the
PanOS_700-7.1.0
,
PanOS_3000-7.1.0
, and
PanOS_5000-7.1.0
images.
Panorama requires that all firewalls are running the same or an earlier PAN-OS release. Thus, before you can downgrade Panorama, use and repeat the appropriate tasks below according to your environment to downgrade all managed firewalls:
Check Now
for available images (
Panorama
Device Deployment
Software
).
Locate the PAN-OS 7.1 image for each model or series of firewalls you intend to downgrade. If the image is not already downloaded, then
Download
it.
Non-HA Firewalls
Click
Install
in the Action column for the PAN-OS 7.1 version, select all the firewalls you intend to downgrade, select
Reboot device after install
, and click
OK
.
Active/Active HA Firewalls
Click
Install
, disable (clear)
Group HA Peers
, select either of the HA peers, select
Reboot device after install
, and click
OK
. Wait for the firewall to finish rebooting before you proceed.
Click
Install
, disable (clear)
Group HA Peers
, select the HA peer that you didn’t update in the previous step, select
Reboot device after install
, and click
OK
.
Active/Passive HA Firewalls
In this example, the active firewall is named fw1 and the passive firewall is named fw2:
Click
Install
in the Action column for the appropriate update, clear
Group HA Peers
, select fw2, select
Reboot device after install
, and click
OK
.
After fw2 finishes rebooting, verify fw1 (
Dashboard
High Availability
widget) that fw2 is still the passive peer (the Local firewall state is
active
and the Peer-fw2 is
passive
).
Access fw1 and
Suspend local device
(
Device
High Availability
Operational Commands
).
Access fw2 (
Dashboard
High Availability
widget) and verify that the Local firewall state is
active
and the Peer firewall is
suspended
.
Access Panorama, select
Panorama
Device Deployment
Software
, click
Install
in the Action column for the appropriate update, clear
Group HA Peers
, select fw1, select
Reboot device after install
, and click
OK
. Wait for fw1 to finish rebooting before you proceed.
Access fw1 (
Dashboard
High Availability
widget) and verify that the Local firewall state is
passive
and the Peer (fw2) is
active
.
If you enabled preemption in the Election settings (
Device
High Availability
General
), then fw1 will be reinstated as the active peer after reboot.
Before downgrading a Log Collector, disable log forwarding to that Log Collector to avoid losing the log data during migration.
Make sure to not push the configuration changes to any device group or template. This will apply the new IP addresses to the devices, and log forwarding will continue.
You will need to temporarily disable log forwarding to avoid data loss and avoid putting unnecessary stress on devices undergoing log migration. Logs generated during the migration will be buffered on the firewall, and forwarded to the designated location once log forwarding is enabled.
Make sure to keep track of the original IP addresses that will be edited to disable log forwarding. You will need to restore these IPs to re-enable log forwarding.
For Panorama in Panorama Mode:
Select
Panorama
Setup
Interfaces
and select
Management
.
Change the
IP Address
to different routable IP address and click
OK
.
If a dedicated port on Panorama is used for log forwarding, select the port and disable (clear)
Device Management and Device Log Collection
. Repeat this step for all dedicated ports used for log forwarding.
To quickly identify if a dedicated port is used for log forwarding, refer to the Services Enabled column and confirm that
Device Management and Log Collection
is listed.
Commit to Panorama
. Do not push the configuration change to devices, as it will push the new Management IP address to the firewalls and log forwarding will continue.
Log back in to Panorama using the new IP address.
Select
Push to Devices
and
Edit Selections
. You will need to
Deselect All Device Groups
and
Templates
, and
Select All Collector Groups
. Click
OK
and
Push
.
For Panorama with logs forwarded to Dedicated Log Collectors undergoing downgrade:
Select
Panorama
Managed Collectors
, select a Dedicated Log Collector that will undergo downgrade from Panorama 8.0 and select
Interfaces
.
Select
Management
and change the
IP Address
to a different routable IP address and click
OK
.
If a dedicated port on Panorama is used for log forwarding, select the port and disable (clear)
Device Management and Device Log Collection
. Repeat this for all dedicated ports used for log forwarding.
To quickly identify if a dedicated port is used for log forwarding, refer to the Services Enabled column and confirm
Device Management and Log Collection
is listed.
Click
OK
to exit the configuration screen and
Commit to Panorama
.
Select
Push to Devices
and
Edit Selections.
You will need to
Deselect All Device Groups
and
Templates
, and
Select All Collector Groups
. Click
OK
and
Push
.
Migrate existing logs to the pre-8.0 format so Panorama and Log Collectors can read log data after the downgrade.
You cannot pause or stop the migration after you begin. Disrupting the migration will cause some or all log data to become inaccessible. If the log migration is interrupted for any reason, repeat this step to restart the migration process. The migration will start anew, and not pick up from the point where the disruption occurred.
Migrating your logs is not a required step. If you do not need to access your existing logs, or are planning to upgrade back to Panorama soon, then avoid migrating your logs. Existing log data will be accessible again once Panorama and Log Collectors have been upgraded back to an 8.0 or later release. However, if access to your previous logs is required, continue with the log migration task.
During the migration, you cannot search within or query logs or generate reports and Panorama and Log Collectors cannot receive any new logs.
Access the Panorama CLI.
Migrate logs to the pre-8.0 format using the commands appropriate for your environment:
On Panorama with a local Log Collector or on a Dedicated Log Collector:
request logdb downgrade
On Panorama for each Collector Group:
request logdb downgrade collector-group
<collector-group-name>
Monitor the status of the log migration.
If you decide that you would like to end the log migration and continue with downgrade, you will need to gracefully power down the Panorama or Log Collector to avoid any data inconsistencies or data corruption. Alternatively, you can continuing to Step Downgrade each Log Collector running Panorama 8.0. to downgrade while the migration is running. This will ensure that the appliance is powered down gracefully. Please note that not all data will have been migrated, meaning that only some data will be available upon downgrade.
The migration takes approximately 24 hours for each 2TB of data. You can monitor progress during the downgrade process.
You can continue to push configuration changes to your managed firewalls during the migration. You cannot push configuration changes to a Log Collector that is undergoing a log format migration.
Access the Panorama CLI.
Check the status of the migration:
On Panorama with a local Log Collector or on a Dedicated Log Collector:
request logdb downgrade-in-progress
On Panorama for each Collector Group:
request logdb downgrade-in-progress
<collector-group-name>
It takes roughly 30-40 minutes after you start the migration before these commands display an output. When they do display output, the result is
Logger downgrade in progress
if the migration is still in progress. If the migration is finished (or was interrupted or was not started), the command displays
No logger downgrade is in progress
.
Downgrade each Log Collector running Panorama 8.0.
Check Now
for available images (
Panorama
Device Deployment
Software
).
Locate the Panorama 7.1 image. If the image is not already downloaded, then
Download
it (Action column).
After the download completes,
Install
the image on each Log Collector running Panorama 8.0. Select
Reboot device after install
to automatically reboot the device when the upgrade has completed.
Downgrade Panorama.
Check Now
for available images (
Panorama
Device Deployment
Software
).
Locate the Panorama 7.1 image. If the image is not already downloaded, then
Download
it.
After the download completes,
Install
the image on Panorama.
Reboot Panorama if the downgrade requires that:
If prompted to reboot, click
Yes
. If you see a
CMS Login
prompt, press Enter without typing the username or password. When the Panorama login prompt appears, enter the username and password you set during initial configuration.
If you are not prompted to reboot, select
Panorama
Setup
Operations
and click
Reboot Panorama
in the Device Operations section.
Re-enable log forwarding from the firewalls to Log Collectors.
If you disabled log forwarding in Step Before downgrading a Log Collector, disable log forwarding to that Log Collector to avoid losing the log data during migration., you will need to re-enable log forwarding once the downgrade has completed for Panorama and Log Collectors. All logs that would have been sent during the procedure will be forwarded to the appropriate Log Collector.
For Panorama in Panorama Mode:
Select
Panorama
Setup
Interfaces
and select
Management
.
Change the
IP Address
back to the original IP address.
If a dedicated port on Panorama is used for log forwarding, select the port and enable
Device Management and Device Log Collection
. Repeat this for all dedicated ports used for log forwarding.
Commit to Panorama
.
Log back in to Panorama using the original IP address.
Select
Push to Devices
and
Edit Selections
. You will need to
Deselect All Device Groups
and
Templates
, and
Select All Collector Groups
. Click
OK
and
Push
.
For Panorama with logs forwarded to Dedicated Log Collectors undergoing downgrade:
Select
Panorama
Managed Collectors
, select a Dedicated Log Collector that underwent downgrade from Panorama 8.0 and select
Interfaces
.
Select
Management
and change the
IP Address
back to the original IP address and click
OK
.
If a dedicated port on Panorama is used for log forwarding, select the port and enable
Device Management and Device Log Collection
. Repeat this for all dedicated ports used for log forwarding.
Click
OK
to exit the configuration screen and
Commit to Panorama
.
Select
Push to Devices
and
Edit Selections
. You will need to
Deselect All Device Groups
and
Templates
, and
Select All Collector Groups
. Click
OK
and
Push
.